HKU Coin: Towards Decentralized Privacy-Preserving Cryptocurrency with Accountability
Dr. Allen Au ([email protected])Associate Professor
Department of Computer ScienceFaculty of Engineering
HKU-SCF FinTech Academy – Research Seminar Series 2021.07.13
Outline
• Background• Requirements of HKU Coin• Design Philosophy of HKU Coin• Building Blocks• Homomorphic Encryption - Twisted ElGamal Encryption• Ring Signatures - DualRing
• Conclusion
Background
Privacy
Sender Anonymity
Transaction Confidentiality
Receiver Anonymity
Privacy in Payment System
$100?? ?
Alice Bob
Accountability in Payment SystemTx
Auditor
Tx𝑓 𝑡𝑥! = 1 ?
Validity check
Audit
Centralized Payment System
• txs are kept on a private ledger managed by a central authority (e.g., bank)• The authority is responsible for validity check, conduct audit, as well
as privacy protection
PayMe
Wechat pay
Decentralized Payment System (Blockchain-Based Cryptocurrencies)
• txs are kept on a global distributed public ledger - blockchain• To allow validity check by all nodes in the system, blockchain-based
cryptocurrencies Bitcoin and Ethereum, among others, simply expose all tx information publicly, i.e., there is no privacy in these systems
Blockchain
Motivation of HKU Coin
• Privacy and Accountability are crucial in any financial system
Bankruptcy of Lehman Brothers
Global Financial Crisis New cryptocurrencies
emerge, including Ethereum
Ethereum
There are now more than 2,000 tradable cryptocurrencies
Developments in the world of cryptocurrency
The birth of the first cryptocurrency, Bitcoin, and the first Bitcoin transaction occurred in 2009
Bitcoin
Privacy-oriented cryptocurrencies are created, like Monero and ZCash
Private cryptocurrencies
2008 2015 2020
2008-2009 2016
Can we achieve privacy and accountability simultaneously in the decentralize setting?
Requirements of HKU Coin
HKU Coin: Design Goal
•A blockchain-based decentralized cryptocurrency to provide privacy and accountability simultaneously• Account-Based Model • Sender Anonymity• Receiver Anonymity• Transaction Confidentiality• Decentralization• Accountability
Simplified System Model
Confidential Tx
Auditor
Tx𝑓 𝑡𝑥! = 1 ?
Validity check
Audit
? ?miners
Security Requirements
• Public Verifiability - validity of txs are publicly verifiable• Authenticity – only the sender can generate txs• Soundness – no one can generate an illegal tx that passes verification• Confidentiality – no one can learn the transfer amount• Anonymity* - no one can learn the identity of the sender and receiver• Accountability – auditor can conduct audit, users cannot provide
incorrect information about all txs it has participated
*we consider a strong form of anonymity which requires that actions from the same user are unlinkable
Design Philosophy of HKU Coin
Building Blocks of our ConstructionVerifiability
Authenticity
Soundness
Confidentiality
Anonymity
Accountability
Additively Homomorphic
Encryption
Ring Signatures
Zero-Knowledge Proofs
Confidentiality
• All account balances are encrypted by an additivelyHomomorphic Encryption (HE) so that only the owner canreview the details.
A 18B 22C 32D 18E 16
A Enc(18)B Enc(22)C Enc(32)D Enc(18)E Enc(16)
Account Balance Account Balancein Blockchain
𝑀!
𝑀"
ENC(𝑀!)
ENC(𝑀")
ENC(𝑀!)
ENC(𝑀")+
ENC(𝑀! +𝑀")
Twisted El Gamal EncryptionJoint work with Yu Chen, Xuecheng Ma and Cong Tang
Twisted El Gamal Encryption
• Public Parameter: 𝑔• Public / Secret key: (𝑝𝑘, 𝑠𝑘): =(𝑔# , 𝑥)• Encryption: (𝑐$, 𝑐%): =
(g&𝑝𝑘' , 𝑔')• Decryption: g& ≔ 𝑐$𝑐%(#, solve*
DL of 𝑔&
• Public Parameter: 𝑔, ℎ• Public / Secret key: (𝑝𝑘, 𝑠𝑘): =(𝑔# , 𝑥)• Encryption: (𝑐$, 𝑐%): =
(ℎ&𝑔' , 𝑝𝑘')
• Decryption: ℎ& ≔ 𝑐$𝑐%(!", solve*
DL of ℎ&
ElGamal Encryption
* Assume 𝑚 is small
Twisted ElGamal Encryption
As secure and efficient as the original ElGamal Encryption
The same format as a Pedersen
Commitment. Can use ZKP directly
Twisted ElGamalComparison with State-of-the-Art PHE (Paillier Encryption)
Scheme KeyGen Encryption Decryption Addition Key Size Ciphertext Size
Paillier 1644.53ms 32.211ms 31.367ms 0.0128ms 374 bytes 768 bytes
Twisted ElGamal 0.0151ms 0.114ms 1ms 0.0031ms 33 bytes 66 bytes
Scheme One-time Setup Cost Public Parameters
Paillier - -
Twisted ElGamal 56s 66 bytes
Assume 32-bit message space
DualRingJoint work with Tsz Hon Yuen, Muhammed F. Esgin, Joseph K. Liu and Zhimin Ding
Slides adapted from Joseph K. Liu’s presentation
Ring Signatures
https://medium.com/asecuritysite-when-bob-met-alice/ring-signatures-and-anonymisation-c9640f08a193
Conclusions
• We present the design of HKU coin, an account-based, efficient privacy-preserving decentralized cryptocurrencies with accountability • Simple & Modular• Transparent Setup
Future Work
• Allow users to generate audit report by himself/herself• More complex audit policy• Ensure rightful use of data by auditors• Post-Quantum Security
Timeline
Design of HKU Coin
Enhance Scalability & Auditor Responsibility
Proof-of-Concept Implementation
Post-quantum Security
Jun 2020
Jul 2022
Jul 2021
Jul 2023
PHASE I PHASE II PHASE III
References
• [Bulletproofs] B. Bunz, J. Bootle, D. Boneh, A. Poelstra, P. Wuille, G. Maxwell. Bulletproofs: Short Proofs for Confidential Transactions and More. IEEE S&P 2018• [DualRing] T.H. Yuen, M. F. Esgin, J.K. Liu, M. H. Au, Z. Ding. DualRing:
Generic Construction of Ring Signatures with Efficient Instantiations. CRYPTO 2021• [PGC] Y. Chen, X. Ma, C. Tang, M. H. Au. PGC: Decentralized Confidential
Payment System with Auditability. ESORICS 2020.• [zkLedger] N. Narula, W. Vasquez, M. Virza. Privacy-Preserving Auditing for
Distributed Ledgers. NSDI 2018.• [Zether] B. Bunz, S. Agrawal, M. Zamani, D. Boneh. Zether: Towards Privacy
in a Smart Contract World. FC 2020.
Questions and comments are welcome!
Project Team MembersDr. Allen AuMs. Karina KoMr. Franky LauMs. Mengling LiuDr. Xingye Lu
26CCF YOCSEF SHENZHEN 2020-2021